bumblebee | c640adc8c6c82e658ccc5595ac2ca3c1c226a87206ae8a1e31c3db261aeac0df

Analysis

max time kernel
151s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2023 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

project information.lnk
Size

987B
MD5

52318d33bcdb7be297b3fc01cb2b590c
SHA1

9c0e1191509c7d610c5e3cfbb8bc1b83b28fb03f
SHA256

da489201afe602684791b0a4b7b238df9f3549c276ccdcaeca8375f31f2b66dc
SHA512

27c48a86e08dcd3806f8989be739615f2c978da0dd216a43696590603be51867bff03d66e5bf808acd5d51ac203254b8eefd1d8dc6b9325ac5c0f3f2833ba8f2

Score

10^/10

bumblebee 102cc trojan

Malware Config

Extracted

Family

bumblebee

Botnet

102cc

160.20.147.242:443

146.19.173.86:443

51.68.144.43:443

172.86.120.111:443

103.175.16.104:443

104.168.157.253:443

23.254.167.63:443

205.185.113.34:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2412	TUmLJFkwKhG.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2412	TUmLJFkwKhG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1960	4588	cmd.exe	81
PID 4588 wrote to memory of 1960	4588	cmd.exe	81
PID 1960 wrote to memory of 4816	1960	cmd.exe	82
PID 1960 wrote to memory of 4816	1960	cmd.exe	82
PID 4816 wrote to memory of 3108	4816	cmd.exe	83
PID 4816 wrote to memory of 3108	4816	cmd.exe	83
PID 1960 wrote to memory of 2412	1960	cmd.exe	84
PID 1960 wrote to memory of 2412	1960	cmd.exe	84

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\project information.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c topicsMain.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\cmd.exe
    cmd.exe /c start /b /min copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\TUmLJFkwKhG.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\TUmLJFkwKhG.exe
      4⤵
      PID:3108
- - C:\ProgramData\TUmLJFkwKhG.exe
    "C:\ProgramData\TUmLJFkwKhG.exe" bios.dll,stProgNew
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TUmLJFkwKhG.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\ProgramData\TUmLJFkwKhG.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
memory/2412-138-0x000002D06DED0000-0x000002D06E031000-memory.dmp

Filesize
1.4MB

Download
memory/2412-139-0x000002D06DC90000-0x000002D06DD0F000-memory.dmp

Filesize
508KB

Download